01
Introduction
Paint Orange, S.A., registered in Portugal under number 514530081 and operating commercially as Shiptimize, is committed to protecting your personal data and respecting your privacy.
This privacy policy describes what personal data we collect when you visit www.shiptimize.me (the Website), the purposes for which we collect it, the legal basis for processing, how long we keep it, and your rights as a data subject under Regulation (EU) 2016/679 (the GDPR).
This policy applies to the Website only. It does not govern personal data processed through the Shiptimize technology platform or portal, which is subject to separate contractual arrangements.
Paint Orange, S.A. is the Data Controller for all personal data collected through this Website within the meaning of Article 4(7) GDPR.
02
Personal data we collect and why
We collect personal data through the channels set out below. For each, we identify the data collected, the purpose, and the legal basis under Article 6 GDPR.
| Source | Data collected | Purpose | Legal basis |
|---|---|---|---|
| Contact form | First name, last name, company or carrier name, job role, country, work email address | To respond to your enquiry and assess potential commercial or partnership opportunities | Legitimate interests (Art. 6(1)(f) GDPR): responding to a business enquiry is a legitimate interest that does not override your rights and freedoms |
| Web server logs | IP address (anonymised where feasible), browser type and version, pages visited, referring URL, date and time of visit | To ensure the security, availability, and correct functioning of the Website | Legitimate interests (Art. 6(1)(f) GDPR): maintaining the integrity and security of our Website |
| Strictly necessary cookies | Session identifiers and technical data required for Website operation | To enable basic Website functionality | Legitimate interests (Art. 6(1)(f) GDPR): no consent required for strictly necessary cookies under the ePrivacy Directive (2002/58/EC) |
We do not use analytics, advertising, marketing, or tracking cookies. We do not carry out automated decision-making or profiling within the meaning of Article 22 GDPR. Should we introduce additional cookies or change our processing activities, we will update this policy prior to doing so and implement any required consent mechanisms.
03
Our legitimate interests
Where we rely on legitimate interests (Article 6(1)(f) GDPR) as our legal basis, we have assessed that our interests are not overridden by your interests or fundamental rights.
- For contact form data: we process only the minimum data necessary to respond to a business enquiry. The processing is expected by anyone who voluntarily submits a contact form.
- For server logs: security monitoring is a necessary operational activity. The data is technical in nature, retained briefly, and not used to profile individuals.
You have the right to object to processing based on legitimate interests at any time. See section 7 below.
04
How long we keep your data
| Data | Retention period | Reason |
|---|---|---|
| Contact form submissions | Up to 24 months from last interaction | To allow reasonable follow-up on a business enquiry. Deleted sooner if the purpose is fulfilled or you request erasure. |
| Web server logs | Up to 90 days | Security monitoring and incident response. Automatically purged thereafter. |
| Strictly necessary cookies | Session duration or as set by the cookie | Expire at end of browser session or as technically required. |
Once the applicable retention period expires, or where you validly request erasure, personal data is securely deleted or anonymised.
05
Who we share your data with
We do not sell, rent, or trade your personal data to any third party.
We may engage trusted third-party service providers (such as hosting providers and IT security services) to operate our Website. Such providers act as data processors on our behalf, are bound by data processing agreements, and are permitted to process personal data only on our documented instructions.
We may also disclose personal data where required to do so by applicable law, a binding court order, or a competent supervisory or law enforcement authority.
06
Your rights as a data subject
Under the GDPR, you have the following rights. We will respond to any request without undue delay and within one calendar month of receipt (extendable by a further two months for complex or multiple requests, in which case we will notify you).
Art. 15
Right of access
Request a copy of the personal data we hold about you and information about how it is processed.
Art. 16
Right to rectification
Request correction of inaccurate or completion of incomplete personal data.
Art. 17
Right to erasure
Request deletion of your personal data where there is no longer a lawful basis for processing, subject to any overriding legal obligations.
Art. 18
Right to restriction
Request that we limit processing of your data in certain defined circumstances.
Art. 20
Right to data portability
Where processing is based on consent or contract and carried out by automated means, request your data in a structured, machine-readable format.
Art. 21
Right to object
Object at any time to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
To exercise any of these rights, please contact us at datasecurity@shiptimize.me. We may need to verify your identity before processing your request. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.
If you are dissatisfied with how we handle your personal data or any request you make, you have the right to lodge a complaint with a supervisory authority. The competent authority in Portugal is:
You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work.
07
Data security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encryption in transit and at rest, access controls, and periodic security reviews.
No method of transmission over the internet or electronic storage is completely secure. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately at datasecurity@shiptimize.me.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours of becoming aware of the breach, and will communicate directly with affected individuals where required by Article 34 GDPR.
08
Changes to this policy
We may update this privacy policy from time to time to reflect changes in our processing activities, applicable law, or Website functionality. The current version is always available at www.shiptimize.me/privacy-policy, with the effective date shown at the top of the document.
Where changes are material, we will bring them to your attention by displaying a prominent notice on our Website before they take effect.
09
Contact
For any questions, concerns, or requests relating to this privacy policy or the processing of your personal data, please contact us:
Data controller
Paint Orange, S.A.
Registration No. 514530081
Registered address
PCI. Creative Science Park Aveiro Region, Via do Conhecimento, Edificio Central, 3830-352 Ilhavo, Portugal. Attn. Privacy and Data Security
Prepared in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Portuguese data protection law. Version 3.0 | Paint Orange, S.A., trading as Shiptimize.